By Cam Roberson Director of the Reseller Channel for Beachhead Solutions

It’s unfortunate that the Health Insurance Portability and Accountability Act (HIPAA) is so complex. Not only do many health organizations under its law not understand what is required of them when it comes to safeguarding the personal health information (PHI) of medical patients, but the complexities of HIPAA can even create awkward and paradoxical situations for the MSPs serving these medical practices.
The fact that HIPAA has a history of extraordinarily costly enforcement actions for non-compliance only intensifies the need for health organizations to seek help in following the law strictly, even with all its nuances. And most do just that. However, HIPAA creates a paradox that arises from this fact: an MSP that possesses or has access to a HIPAA Covered Entities (CE) PHI is required to be HIPAA compliant as well. This, of course, is a Catch-22: how can a business that hires an MSP in order to handle their data security and implement HIPAA compliance possibly have the expertise to judge whether the MSP’s own practices around HIPAA are adequate? The mind reels at the thought of secondary MSPs hired to check the HIPAA-related precautions of health organizations’ primary MSPs (and then if those touch the HIPAA-protected data they could require other MSPs for tertiary checks). It’s HIPAA hurdles all the way down.
Given this reality, though, the best way forward is for MSPs to ensure their own HIPAA compliance on behalf of the organizations they serve by making it part of their service duties. What HIPAA requires of a business is that any “business associate” – meaning any entity that has or has had access to PHI entrusted to a HIPAA-covered business – must do their work under a business associate agreement (BAA). This BAA requires the business associate to work within data security requirements delineated by the HIPAA-covered organization (which, as I’ve pointed out, often wouldn’t know how to go about that). It also calls for the implementation of technology measures such as encryption to secure PHI in accordance with certain provisions of HIPAA’s security rules. The kinds of business associates who must operate under such as agreement can include all types of MSPs, from technology providers to medical claims processors, data analysts, and providers of quality assurance, billing and collections, practice management, legal services, accounting, and consulting.

